search

Red5 / red5-server

Red5 Server core
Apache License 2.0
3.33k stars 982 forks source link

nanoStream app manages to get past publishing security check #282

Open andryan opened 4 years ago

andryan commented 4 years ago

I have managed to modify securityPlugin from red5-plugins collection to filter broadcasters based on IP address. However when I tested publishing using nanoStream's publishing app on iOS, I managed to get past the security despite the logs showing it should have failed/been rejected by the server. This does not seem to happen with other RTMP publishing tools I tested.

Environment

[] Operating system and version: Ubuntu Linux 16.04 LTS [] Java version: openjdk version "11.0.4" 2019-07-16 LTS OpenJDK Runtime Environment 18.9 (build 11.0.4+11-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.4+11-LTS, mixed mode, sharing)

[] Red5 version: 1.2.2

Expected behavior

It should reject the publishers without any exception thrown in the logs.

Actual behavior

nanoStream manages to publish on Red5 server despite being prohibited. Affects latest Red5 Pro too.

Steps to reproduce

  1. Start Red5 with modified securityPlugin
  2. Add 127.0.0.1 to list of allowed publisher IP
  3. Stream from other IP using nanoStream RTMP publisher
  4. The RTMP URL is now live (EDIT: correction) Red5 accepts the connection from a denied publisher and continue to receive stream data although the stream URL remain not accessible by subscribers

Logs

https://pastebin.com/Ey2QguXw

andryan commented 4 years ago

https://pastebin.com/a2KxRLWE

This is the changes I made to /securityplugin/src/main/java/org/red5/server/plugin/security/PublishSecurityHandler.java

andryan commented 4 years ago

Additional note I managed to figure out today:

when the IP is allowed to publish (listed in allowedIP.txt file):

[INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:2 2020-05-18 00:55:53,073 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:2 [INFO] [NioProcessor-5] org.red5.server.plugin.security.PublishSecurityHandler - Allowed publisher IP 182.253.250.213 2020-05-18 00:55:53,175 [NioProcessor-5] INFO o.r.s.p.s.PublishSecurityHandler - Allowed publisher IP 182.253.250.213 [INFO] [NioProcessor-5] com.red5pro.override.ProStream - Start 2020-05-18 00:55:53,176 [NioProcessor-5] INFO com.red5pro.override.ProStream - Start [INFO] [NioProcessor-5] com.red5pro.override.ProStream - Inspection active true 2020-05-18 00:55:53,176 [NioProcessor-5] INFO com.red5pro.override.ProStream - Inspection active true [INFO] [pool-22-thread-1] com.red5pro.override.ProStream - Notify process listeners 2020-05-18 00:55:53,177 [pool-22-thread-1] INFO com.red5pro.override.ProStream - Notify process listeners [INFO] [pool-22-thread-1] com.red5pro.override.ProStream - Create Processor clazz:null 2020-05-18 00:55:53,177 [pool-22-thread-1] INFO com.red5pro.override.ProStream - Create Processor clazz:null [INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - Stream Publish Start 2020-05-18 00:55:53,178 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - Stream Publish Start [INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:stream x-event:publish c-ip:182.253.250.213 x-sname:a5f55066-56b5-44ec-9cd6-ac3733993992 x-name:testrtmp 2020-05-18 00:55:53,178 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:stream x-event:publish c-ip:182.253.250.213 x-sname:a5f55066-56b5-44ec-9cd6-ac3733993992 x-name:testrtmp [INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - Stream Broadcast Start 2020-05-18 00:55:53,179 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - Stream Broadcast Start [INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - adding key LiveApp/testrtmp 2020-05-18 00:55:53,179 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - adding key LiveApp/testrtmp [INFO] [Connection Checker] com.red5pro.server.stream.Red5ProConnManager - Pro connections; Total count: 1, WebRTC ports allocated: 0, edge-proxy: 0, re-streamers: 0, sm-pulses:0 2020-05-18 00:55:54,577 [Connection Checker] INFO c.r.s.stream.Red5ProConnManager - Pro connections; Total count: 1, WebRTC ports allocated: 0, edge-proxy: 0, re-streamers: 0, sm-pulses:0 [INFO] [NioProcessor-5] com.red5pro.override.ProStream - close: testrtmp 2020-05-18 00:55:59,784 [NioProcessor-5] INFO com.red5pro.override.ProStream - close: testrtmp [INFO] [NioProcessor-5] com.red5pro.override.ProStream - Notify process listeners 2020-05-18 00:55:59,784 [NioProcessor-5] INFO com.red5pro.override.ProStream - Notify process listeners [INFO] [NioProcessor-5] com.red5pro.override.ProStream - notifyTerminationListeners 2020-05-18 00:55:59,784 [NioProcessor-5] INFO com.red5pro.override.ProStream - notifyTerminationListeners [INFO] [NioProcessor-5] com.red5pro.override.ProStream - Executor tasks remaining: 1 2020-05-18 00:56:01,785 [NioProcessor-5] INFO com.red5pro.override.ProStream - Executor tasks remaining: 1 [INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:2 2020-05-18 00:56:01,891 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:2 [INFO] [NioProcessor-5] com.red5pro.server.stream.Red5ProConnManager - Remove GZF8MHAADNM6R 2020-05-18 00:56:01,892 [NioProcessor-5] INFO c.r.s.stream.Red5ProConnManager - Remove GZF8MHAADNM6R

when the IP is denied: [INFO] [NioProcessor-3] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:1 2020-05-18 00:39:27,979 [NioProcessor-3] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:1 [INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213 2020-05-18 00:39:28,080 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213 [INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213 2020-05-18 00:39:28,141 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213 [INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213 2020-05-18 00:39:28,201 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213 [INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213 2020-05-18 00:39:28,239 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213 [INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213 2020-05-18 00:39:28,309 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213 [INFO] [NioProcessor-3] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:1 2020-05-18 00:39:41,406 [NioProcessor-3] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:1 [INFO] [NioProcessor-3] com.red5pro.server.stream.Red5ProConnManager - Remove LSMCZPOQSLYMB 2020-05-18 00:39:41,407 [NioProcessor-3] INFO c.r.s.stream.Red5ProConnManager - Remove LSMCZPOQSLYMB

so it looks like if the IP is denied by PublishSecurityHandler, the stream from this offending publisher is never (properly) registered for subscribers to subscribe to although the stream data being accepted by Red5, but this bug could still be used to DoS the service as the RTMP service still listens and accepts the denied publishers' stream data.

mondain commented 4 years ago

If you want to make a patch with a PR, I'd be glad to look it over for merging.